The Search Engine More Dangerous Than Google

mallyn writes "This is an article about a search engine that is designed to look for devices on the net that are not really intended to be viewed and used by the general public. Devices include pool filters, skating rink cooling system, and other goodies. 'Shodan runs 24/7 and collects information on about 500 million connected devices and services each month. It's stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot. Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan. ... A quick search for "default password" reveals countless printers, servers and system control devices that use "admin" as their user name and "1234" as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.'"

dangerous?

[schlachter]

Is google dangerous? Sure, it can be used to do bad things. But that's like saying we've discovered a liquid more dangerous than water.

Re:dangerous?

[poetmatt]

Google isn't dangerous. People being asinine with computers is dangerous, as any search engine can clearly indicate.

astounding that defaults are not tougher

[swschrad]

I mean, how hard is it to ship new devices with something tougher than admin and 1234?

Re:astounding that defaults are not tougher

[Hatta]

Using a complex default will fool people into thinking the default is secure, and more people will fail to change it. If you're using the same default for every device, it doesn't matter what you use, it's not secure and needs to be changed.

Now they could issue a different default for every device, but that would require printing a unique card for each device, which is significantly more effort than just telling users to change the default login.

Re:astounding that defaults are not tougher

[femtobyte]

So the person setting it up is lulled into thinking that the default "4nk^&nW3)(&" is secure and doesn't need to be reset (despite any attacker being just one web search away from learning the "better" default)? Using a default of '1234' is a great way of reminding even minimally competent people that the password needs to be changed from default *right now.* Unfortunately, there are enough people out there not even minimally competent about security that this continues to be a problem.

Re:astounding that defaults are not tougher

[sinij]

No default password could be secure. The only way is to force password change on first use.

Re:astounding that defaults are not tougher

[Attila+Dimedici]

You hit a good point. There is a corollary to it, most devices have a method of resetting the login to the default (usually something that requires physical access to the device) because there are a significant number of times when for one reason or another the correct login credentials have been lost. If the manufacturer does not use the same default login credentials for every one of a particular device and the end user has lost the card they sent with it that has the default credentials (an eventuality that is likely in those cases where the changed credentials have been lost) the company will either have to have maintained a database of the default credentials for every one of their devices they have shipped, or the end user will be SOL (which will probably result in them being very unhappy with the manufacturer).
The fact of the matter is that a lot of these devices are going to be things which are infrequently accessed, so even if you file the credentials away in a "safe, secure" location by the time you need them again you may have forgotten where that was.

Re:astounding that defaults are not tougher

[HCase]

That would be a bad idea.

1. A default password is a default password, and should be assumed to be public knowledge.
2. A complicated default password will accidentally trick user into thinking it is more secure than admin/1234. For example, you have already been tricked.
3. If the device is reset to factory default, the password won't be easily remembered, so a device may be stranded in a default or even unusable state until the owner can find the password via documentation, help-desk, or internet database of default passwords.

A partial fix that is sometimes used, is to give each individual device a separate password, and include this password inside the packaging or attached via sticker. This is somewhat more secure but can lead to problems itself. The user may keep the password, and the password may not be truly unique, or may be guessable. If the password is damaged/lost, the device may be rendered unusable if reset to its default state.

Re:astounding that defaults are not tougher

[WindBourne]

I will pay u a dime for every system that currently has 4t&q for password, if u pay me a penny for those with 1234 password. Deal?

Re:astounding that defaults are not tougher

Instead of making the manufacturers print a unique card for each device, how about people change their credentials and print their own cards?.

That happens to be the way it's done already. Ask Shodan how well it's working out.

Re:astounding that defaults are not tougher

[cstdenis]

Too expensive in lost sales.

"I want to return this device. I plugged it in and it doesn't work"

Re: astounding that defaults are not tougher

[maxwell+demon]

No, the point is that the whole thread was about "mathematically speaking". You are making a choice of character sets which is in no way mathematically founded. For mathematics, there's no significant difference between, e.g., the sets {'0','1','2','3','4','5','6','7','8','9'} and {'1','8','t','q'.'&','%',':','X'}

The minimum set which contains all characters of the password "1234" is {'1', '2', '3', '4'}, and the minimal set which contains all the characters of the password "t4q&" is {'4', 't', 'q', '&'}. Both have the same number of characters, namely 4, in in their respective set therefore each of the passwords has the probability 1/4^4 = 1/256.

The minimum set which contains the letters of both passwords is {'1', '2', '3', '4', 't', 'q', '&'}. In that set, both passwords have the same probability 1/7^4=1/2401.

Of course when evaluating the security of passwords in the real world, we don't just use mathematics, but also the non-mathematical knowledge that we, as humans, denote special significance to certain sets of characters, like the digits, the lowercase characters, and the uppercase characters, and that the hackers know that and therefore tailor their search for those sets. Therefore we define the special sets
Digits, LowercaseLetters, UppercaseLetters and SpecialCharacters (i.e. all others). Then we take as base set to approximate(!) the security of a password the union of all the sets that intersects with the set of characters in the password.

For "1234" all characters lie in Digits, therefore we get a security of 1/10^4. For "4t&q", the letters are in the sets Digits, LowercaseLetters and SpecialCharacters, therefore (assuming ASCII printable characters as base) we get a security of 1/69^4. (Note that your calculation is still wrong in that case because you assumed a strict rule of which positions contain letters, digits and special characters, which is unrealistic in practice, and also you didn't split between lowercase and uppercase characters.)

Note that even this is just an approximation of the real security, as it assigns "1234" the same security as "3945", and "password" the same security as "hyjtmxsk". In reality, of course "1234" is less secure than "3945", and "password" is vastly less secure than "hyjtmxsk". But the point is, that you need non-mathematical knowledge for those considerations. Mathematically speaking, there's really no difference between "1234" and "4t&q".

Internet of things

[Hentes]

But that's the next big thing, haven't you heard? Giving net access to unsecured hardware is the way forward!

Shodan

"Look at you, Hacker. A pathetic creature of meat and bone. Panting and sweating as you run through my corridors. How can you challange a perfect, immortal machine?"

Slashdot brings you yesterday's news today

[damn_registrars]

I was reading this same CNN article yesterday. I considered submitting it here but figured people had already read it... guess not. Glad I can still come here to find yesterday's news, though.

What is wrong with you mods!?

He states, and I quote:

no laughing matter.

And you go ahead and mod him "Funny"